Top cybersecurity legislation of 2019

2018 may go down as the year the EU’s GDPR went into effect but legislators domestically kept busy introducing and passing legislation meant to bolster the U.S.’s cybersecurity and privacy postures.

California Privacy Act

After a rush to get legislation done so a ballot measure slated for the November election could be pulled by the withdrawal deadline, the California State Assembly passed the California Consumer Privacy Act of 2018, which many privacy pros peg as the foundation of an eventual U.S. GDPR-type law. The act, set to take effect in 2020, is the most stringent of its kind in the U.S. “With the breaking news of the dramatic passage of California’s new privacy law, AB 375, the strictest privacy measure in the nation, along with the coming into force of the European GDPR and SCOTUS decision in Carpenter – it’s clear privacy has risen to the top of policymakers’ agenda worldwide,” said Omer Tene, Chief Knowledge Officer of the International Association of Privacy Professionals (IAPP). “Now, industry will need to adapt.” Support for a national law that addresses privacy issues has grown. Apple CEO Tim Cook recently said that his company is “in full support of a comprehensive federal privacy law in the United States.”

Cook called the argument made by some tech companies that they could “never achieve technology’s true potential” if they are “constrained by privacy regulation” as not only “just wrong,” but also destructive. “We will never achieve technology’s true potential without the full faith and confidence of the people who use it,” he said, noting that legislation should be based on users having the right to access to the data companies collect and to security. “Security is foundational to trust and all other privacy rights.”

National breach notification law

A bill introduced by the House Financial Services Committee would amend the Gramm-Leach-Bliley Act (GLBA) to include a national breach notification law for the financial industry that would supersede the multitude of state laws.

“It is going to take better cooperation from all my colleagues and the industries that handle consumer data in order to advance additional meaningful changes,” the author of the bill, Rep. Blaine Luetkemeyer, R-Mo., said in a statement. “At some point, there will be another major breach, and without a comprehensive solution our constituents will pay the price for our inaction.”

California’s IoT law applies to manufacturers of devices or those who have a device manufactured on its behalf for sale in California. It does not, however, apply to devices purchased for resale, even if they are privately labeled, and some legal experts feel “the law is ambiguous in many respects, and will likely create significant challenges in its implementation and effectiveness,” according to Sudhakar Ramakrishna, CEO, Pulse Secure.

Introduced in December 2017 by Sen. James Lankford, R-Okla., the proposed legislation in many ways resembles the Protecting American Votes and Elections Act of 2018 bill. It would eliminate paperless voting machines, replacing them with paper ballots. It also encourages states to perform post-election audits. In June 2018, the bill, which was panned by a White House that said DHS has the needed statuatory authority to assist states, was submitted to the Congressional Committee on Rules and Administration, and hearings were held. But the legislation has not progressed since then.

Cybersecurity and Infrastructure Security Agency Act

In November, the president signed H.R. 3359, legislation that redesignates the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA). Introduced by Rep. Michael McCaul (R-Tex.), the bill, known as the Cybersecurity and Infrastructure Security Agency Act of 2017, amends the Homeland Security Act of 2002. According to a Congressional bill summary, the legislation states that CISA would be “headed by a Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of U.S. cybersecurity, emergency communications, and critical infrastructure.” This restructured agency would consist of a cybersecurity division, an infrastructure security division and an emergency communications division.

NIST Small Business Cybersecurity Act

A year and nearly four months after the measure was introduced, the NIST Small Business Cybersecurity Act was officially signed into law. Originally proposed as H.R. 2105 in April 2017, the act was later absorbed into U.S. federal law S.770, and requires the director of the National Institute of Standards and Technology, within within one year of the law’s passing, to issue guidance and a consistent set of resources to help SMBs identify, assess and reduce their cybersecurity risks. S.770 also tasks NIST, a division of the U.S. Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and “include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.”

ENCRYPT Act

A bipartisan group of representatives has put forth a bill to create a national standard encryption that would supersede any similar standards created on the state or local levels. Representatives Ted W. Lieu D-Calif., Mike Bishop R-Mich., Suzan DelBene D-Wash. and Jim Jordan R-Ohio reintroduced the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act. If enacted the bill would ensure a uniform, national policy for the interstate issue of encryption technology. “As a computer science major, I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” Lieu said.Bishop agreed saying the concept of having a central repository is key to defending the nation against cyberattacks.

CLOUD Act

Rights groups sounded the alarm over the Clarifying Lawful Overseas Use of Data (CLOUD) Act, ostensibly meant to streamline the process through which law enforcement accesses data across borders, saying that it instead would circumvent Fourth Amendment protections and put human rights activists at risk. The act would essentially provide a “backdoor” for law enforcement at home and abroad to access emails, chat logs, videos and photos, “without following the privacy rules where the data is stored,” according to an Electronic Frontier Foundation (EFF) blog post. The CLOUD Act backdoor “operates much in the same way” as provisions under Section 702 of the FISA Amendments Act that let police “search, read and share” private communications without obtaining a warrant, the post states. Essentially, “U.S. police could obtain Americans’ data, and use it against them, without complying with the Fourth Amendment.”

Russian sanctions legislation

Determined to show Russia the full wrath of the U.S. government for its interference in the 2016 presidential election, a bevy of Democratic and Republican senators pushed a bill that would, according to Sen. Lindsey Graham, R-S.C., “impose crushing sanctions and other measures” on the nation-state until Russian President Vladimir Putin puts a halt to meddling in U.S. elections and cyberattacks on critical infrastructure. The legislation reiterates the U.S.’s support for NATO and would require a two-thirds vote to exit the organization. Interference in elections would be grounds for refusing to allow immigration to the U.S. The bill includes an International Cybercrime Prevention Act that would let prosecutors “shut down botnets and other digital infrastructure that can be used for a wide range of illegal activity” while the Defending the Integrity of Voting Systems Act would the Justice Department “pursue federal charges for the hacking of any voting system that is used in a federal election.”

FISA Amendments Authorization Act

A six-year extension to the much-debated Section 702 of the Foreign Intelligence Surveillance Act (FISA) made its way to the White House for the president to sign in January after the Senate gave it a nod by a vote of 65 to 34.

But not without some confusion and controversy. Prior to an earlier House vote, President Trump posted a pair of contradictory tweets over his take on the proposed legislation that momentarily threw lawmakers into confusion over his position. “We’re disappointed with the passage of the FISA Amendments Reauthorization Act and the misleading statements supporters of the bill made about the collection of communications, the process by which these records are obtained by the FBI, and the alternatives offered by privacy-minded members of the House and Senate like Justin Amash, Mike Lee, Rand Paul, and others,” FreedomWorks Vice President of Legislative Affairs Jason Pye said in a statement.

Cyber Diplomacy Act

A bipartisan group of lawmakers cheered the passage of the Cyber Diplomacy Act (H.R. 3776) by the House of Representatives. The bill was introduced by Rep. Edward Royce, R-Calif., and Elliot Engel, D-N.Y., in September 2017 and will now move on to the Senate. If signed into law the Cyber Diplomacy Act would require the government to secure and implement commitments from other countries on proper cyberspace behavior. This would include generating agreements between nations to not support cybercriminal activity such as theft of intellectual property, cooperate in developing measures to keep their territories clear of intentionally wrongful acts using information and communications technology (ICT) in violation of international commitments and promote securely-designed ICT products.